CVE-2026-2614 — UNKNOWN AI Security Vulnerability

CISO Take

MLflow's model version creation handler contains a path traversal flaw that allows any unauthenticated attacker with network access to the MLflow tracking server to read arbitrary files from its filesystem. The exploit requires a single crafted API request — no credentials, no prior access — making exploitation trivially achievable by a script-kiddie once the attack primitive is published. MLflow servers in typical MLOps environments hold or have access to cloud provider credentials, API keys in environment files, model weights, and proprietary training data, meaning a successful read can cascade into full cloud account compromise. Organizations should upgrade to MLflow 3.10.0 immediately; if patching cannot be done today, restrict MLflow server network exposure to trusted IP ranges only and audit recent model version creation logs for source paths outside the expected model artifact directories.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

HIGH for any organization running MLflow ≤ 3.9.0 with a network-reachable tracking server. The authentication bypass is complete — zero credentials required — and the exploit primitive is explicit from the CVE description, meaning weaponization time is measured in hours once public attention lands on this. MLflow's typical deployment posture (internal data-center or VPC with assumed-safe network perimeter) creates a false sense of security; lateral movement from a compromised internal host or a misconfigured security group is sufficient to reach these servers. No CVSS score is assigned yet, but the attack vector (network), privileges required (none), and impact (complete confidentiality loss) place this firmly in the 9.x Critical range under standard scoring.

Attack Kill Chain

Target Identification

Attacker discovers a network-accessible MLflow tracking server, which requires no authentication in default configurations.

AML.T0006

Validation Bypass

Attacker sends an unauthenticated CreateModelVersion API request including the tag `mlflow.prompt.is_prompt` with an arbitrary filesystem path (e.g., `/home/mlflow/.aws/credentials`) as the model version source, bypassing source path validation.

AML.T0049

File Exfiltration

Attacker requests the model version artifact via the artifact handler endpoint; the server serves the targeted file verbatim without re-validating the model version's prompt status.

AML.T0025

Credential Harvest & Pivot

Attacker uses exfiltrated cloud credentials or API keys to access downstream infrastructure — S3 buckets, GCS, model registries — containing proprietary model weights and training datasets.

AML.T0055

Target Identification

Attacker discovers a network-accessible MLflow tracking server, which requires no authentication in default configurations.

AML.T0006

Validation Bypass

Attacker sends an unauthenticated CreateModelVersion API request including the tag `mlflow.prompt.is_prompt` with an arbitrary filesystem path (e.g., `/home/mlflow/.aws/credentials`) as the model version source, bypassing source path validation.

AML.T0049

File Exfiltration

Attacker requests the model version artifact via the artifact handler endpoint; the server serves the targeted file verbatim without re-validating the model version's prompt status.

AML.T0025

Credential Harvest & Pivot

Attacker uses exfiltrated cloud credentials or API keys to access downstream infrastructure — S3 buckets, GCS, model registries — containing proprietary model weights and training datasets.

AML.T0055

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.8K OpenSSF 4.7 624 dependents Pushed 2d ago 23% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

1 step

1) Upgrade to MLflow 3.10.0 immediately — this is the only complete fix. 2) If immediate patching is blocked, restrict network access to the MLflow tracking server to explicitly allowlisted IP ranges; do not rely on VPC perimeter as sole control. 3) Review MLflow server process privileges and ensure it runs under a dedicated service account with minimal filesystem permissions (no access to ~root, ~/.ssh, ~/.aws). 4) Audit model version creation events in MLflow logs from the past 90 days; flag any CreateModelVersion requests where the source field contains paths outside expected artifact directories (e.g., /etc/, /home/, ~/.aws/, /var/secrets/). 5) Rotate all credentials that may have been accessible to the MLflow server process — cloud API keys, database passwords, service account tokens. 6) Enable authentication on MLflow tracking servers if not already in place; the default MLflow configuration ships with no authentication.

Classification

Auth Bypass Data Extraction Framework Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - Data acquisition and preparation safeguards A.9.3 - Information about AI system functioning

NIST AI RMF

GOVERN 6.2 - Organizational risk management policies cover AI risk MANAGE 1.3 - Responses to AI risks and adverse impacts

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-2614?

MLflow's model version creation handler contains a path traversal flaw that allows any unauthenticated attacker with network access to the MLflow tracking server to read arbitrary files from its filesystem. The exploit requires a single crafted API request — no credentials, no prior access — making exploitation trivially achievable by a script-kiddie once the attack primitive is published. MLflow servers in typical MLOps environments hold or have access to cloud provider credentials, API keys in environment files, model weights, and proprietary training data, meaning a successful read can cascade into full cloud account compromise. Organizations should upgrade to MLflow 3.10.0 immediately; if patching cannot be done today, restrict MLflow server network exposure to trusted IP ranges only and audit recent model version creation logs for source paths outside the expected model artifact directories.

Is CVE-2026-2614 actively exploited?

No confirmed active exploitation of CVE-2026-2614 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2614?

1) Upgrade to MLflow 3.10.0 immediately — this is the only complete fix. 2) If immediate patching is blocked, restrict network access to the MLflow tracking server to explicitly allowlisted IP ranges; do not rely on VPC perimeter as sole control. 3) Review MLflow server process privileges and ensure it runs under a dedicated service account with minimal filesystem permissions (no access to ~root, ~/.ssh, ~/.aws). 4) Audit model version creation events in MLflow logs from the past 90 days; flag any CreateModelVersion requests where the source field contains paths outside expected artifact directories (e.g., /etc/, /home/, ~/.aws/, /var/secrets/). 5) Rotate all credentials that may have been accessible to the MLflow server process — cloud API keys, database passwords, service account tokens. 6) Enable authentication on MLflow tracking servers if not already in place; the default MLflow configuration ships with no authentication.

What systems are affected by CVE-2026-2614?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, training pipelines, experiment tracking infrastructure.

What is the CVSS score for CVE-2026-2614?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

Exploitation Scenario

An attacker targeting an organization's ML infrastructure performs reconnaissance and identifies a publicly reachable or internally accessible MLflow tracking server (common in developer environments, CI/CD pipelines, or misconfigured VPCs). Without any credentials, the attacker sends a POST request to the MLflow REST API to create a model version, embedding the tag `mlflow.prompt.is_prompt` and setting the source field to a sensitive filesystem path such as `/home/mlflow/.aws/credentials` or `/etc/environment`. The source path validation check is bypassed because the presence of the prompt tag triggers a code path that skips path sanitization. The attacker then issues a GET request to retrieve the model version's artifacts, and the `get_model_version_artifact_handler()` serves the file contents verbatim without re-validating the model version's prompt status. The attacker now holds cloud credentials and can pivot to S3 buckets, GCS, or Azure Blob Storage containing proprietary model weights and training datasets.